ci: add build provenance attestations for release artifacts#10316
Conversation
Add SLSA build provenance attestations using actions/attest to the release workflow. This allows users to verify the origin of release artifacts with `gh attestation verify`. Changes: - Add attestations:write permission to reusable-release workflow - Add actions/attest step after GoReleaser (skipped for canary builds) - Set fixed checksums filename in goreleaser.yml for predictable path
knqyf263
added
the
kind/security
| if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} | ||
| uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 | ||
| with: | ||
| subject-checksums: dist/checksums.txt |
There was a problem hiding this comment.
There is an issue with the install script. It currently expects a versioned filename:
Lines 393 to 394 in 75c4dc0
Because of this, http_download will fail when trying to fetch trivy_X.Y.Z_checksums.txt (instead of checksums.txt).
We either need to update the install script, or, alternatively, we can just specify the correct filename right here:
| subject-checksums: dist/checksums.txt | |
| subject-checksums: dist/trivy_${{ github.ref_name }}_checksums.txt |
There was a problem hiding this comment.
Did you test this?
I understand now that we don't trim the v prefix for github.ref_name.
There was a problem hiding this comment.
You're right, I hadn't tested after changing to dist/trivy_${{ github.ref_name }}_checksums.txt. The v prefix needed to be stripped since GoReleaser's {{ .Version }} doesn't include it.
I've fixed this by using fromJSON(steps.goreleaser.outputs.metadata).version instead, which gives the version without the v prefix directly from GoReleaser's output.
Confirmed working: https://github.com/knqyf263/trivy/actions/runs/22934149686/job/66561715834
Use the default goreleaser checksum filename (trivy_X.Y.Z_checksums.txt) instead of the custom checksums.txt, to stay consistent with the install script (contrib/install.sh) which expects the versioned filename.
2 participants
Description
Add SLSA build provenance attestations to the release workflow using actions/attest. While cosign keyless signing already provides signature verification, attestations offer a standardized SLSA format and simple verification via
gh attestation verify.Changes:
attestations: writepermission toreusable-release.yamlid: goreleaserto the GoReleaser step to access its outputsactions/attest@v4.1.0step after GoReleaser to generate attestationsfrom the versioned checksums file (
dist/trivy_<version>_checksums.txt)fromJSON(steps.goreleaser.outputs.metadata).versionto get theversion without the
vprefix, matching GoReleaser's checksum filenameTested on
knqyf263/trivywith a release workflow run (v0.0.2-test-provenance), confirming that:Related issues
Checklist